Cybersecurity Risk - Financial Executives International

Robert Gregg
CEO
ID Experts
[email protected]
Overview
• Defining the cybersecurity problem
• Serious national security concern
• What does this mean for
companies…particularly the CFO
• What we must do - Now
•
•
•
•
•
Picture of bad guys from uspis
Oceans 11 analogy
Zeus malware- 240,000 variants
Targeting you and your campany
Demetri Galutav- 7000 hackers-10 yrs, 400k pol
office
• 40-50K hackers active =Secret service
• For profit, not noteriety---32% infected
Cybersecurity Risk
Conclusion of the Internet Security Alliance (ISA) , the
American National Standards Institute (ANSI), and
all executives who worked on the project:
The single biggest risk
involving cybersecurity is
ignorance and
misunderstanding!
We Need a Total Risk
Management Approach
The security discipline has so far been skewed
toward technology—firewalls, ID management,
intrusion detection—instead of risk analysis and
proactive intelligence gathering.
PWC Global Cyber Security Survey
We have to shift our focus from considering
cybersecurity as a technical-operational issue
to a economic-strategic issue
Cybersecurity =
Investment
Cybersecurity has historically been
looked at as a cost….. Increasingly it
has to be looked at as an investment
Greater trust=Stronger brand=Higher sales
The Threat Source
• Outside Intruder (Hacker)
• Well meaning insider
• Insider with mal-intent
Data Breach
Perfect Storm
Technology
Advancement
Shrinking IT
Budgets
Hacker
Sophistication
Realization
of the Value
of Data
Declining
Economy
Government
Regulations
Increased
Outsourcing
9
The Private Sector
• The private sector owns 95% of the cyber
infrastructure
• The private sector must, by law, operate---not in
the public interest---but to maximize shareholder
value
• The private sector makes decisions based on
economics
• The way to improve cybersecurity is to alter the
economics of cybersecurity
Follow the Money
• We have –and will continue to have- cyber attacks
because of the economic incentives
• Attacks are easy/cheap/very profitable
• Defense is hard---successful prosecution 1%
• Perimeter to defend is endless
• Extremely hard to show ROI because enterprises
don’t analyze their cyber risk correctly
Structural / Economic
Misalignment
• Symantec: attacks up 500% between
2006-07 & doubled again between 2009-10
• Cyber Space Policy Review: Cost to American
business = $1 TRILLION
• PWC/CSIS/Forrester all report investment in
information security is down in 50%-66% of
American companies----and most of the security
spending is for audit compliance not security
We are Not
Cyber Structured
• In 95% of companies the CFO is not directly
involved in information security
• 2/3 of companies don’t have a risk plan
• 83% of companies don’t have a cross
organizational privacy/security team
• Less than ½ have a formal risk management
plan—1/3 of the ones who do don’t consider
cyber in the plan
What to Do…
• Good News: We know a lot about how to
solve this problem--80-90% can be solved
by using best practices and standards—most
don’t due to cost
• Focus on Enterprise Education so companies
understand total financial cyber risk
• Get a copy of “Financial Management of
CyberRisk….A framework for CFO’s”
Cybersecurity
Document
Cybersecurity
Document
• Outlines an enterprise wide process to attack
cyber security broadly and economically
• CFO strategies
• HR strategies
• Legal/compliance strategies
• Operations/technology strategies
• Communications strategies
• Risk Management/insurance strategies
What CFO Needs
to Do
•
•
•
•
Own the problem
Appoint an enterprise wide cyber risk team
Get other C-Level exec buy-in
Develop an enterprise wide cyber risk
management plan & budget
• Complete a comprehensive breach response plan
• Engage a breach response expert
• Implement the plan, analyze it regularly, test and
reform
Human Resources
•
•
•
•
•
•
•
Recruitment
Awareness
Remote Access
Compensate for cyber security
Discipline for bad behavior
Manage social networking
Beware of vulnerability especially from IT
and former employees
Legal/Compliance
Cyber Issues
• What rules/regulations apply to us and
partners?
• Exposure to theft of our trade secrets?
• Exposure to shareholder and class action suits?
• Are we prepared for govt. investigations?
• Are we prepared for suits by customers and
suppliers?
• Are our contracts up to date and protecting us?
Operations/IT
• What are our biggest vulnerabilities? Re-evaluate?
• What is the maturity of our information
classification systems?
• Are we complying with best practices/standards
• How good is our physical security?
• Do we have an incident response plan?
• How long till we are back up?---do we want that?
• Continuity Plan? Vendors/partners/providers plan?
Communications
• Do we have a breach plan for multiple audiences?
--general public
--shareholders
--Govt./regulators
--affected clients
--employees
---press
Insurance—Risk
Management
•
•
•
•
•
•
Are we covered?
What can be covered
How do we measure cyber losses?
D and O exposure?
Who sells cyber insurance & what does it cost?
How do we evaluate insurance coverage?
Summary
• Cybersecurity is an enterprise
problem….not an IT problem
• The risk is growing rapidly
• CFO is the best person to own and
manage all aspects of the risk
• Look at this as a very strategic
investment…..because it is!
Robert Gregg
CEO
www.idexpertscorp.com
ID Experts
[email protected]
Breach line 800-xxx